@Fredtx said in 2 disks or 1 disk with 2 partitions for new VM?:

I'm building a new VM on a VmWare host to replace a 2008 server. The 08 VM has 2 virtual disks each mounted with a drive letter (C and D). Would it be better when creating the new VM to instead create 1 virtual disk, and divide it into 2 partitions (C and D)? Thoughts?

Partitions are a legacy concept and for all intents and purposes should not exist. They are never the right answer. Only systems too old to have an LVM would do that. Linux introduced it's LVM around 2000. Windows introduced its in 2003. So anything made since then, no partitions.

Much of the point of the physical card is to make a mental pathway in the human, not the phone, which builds a memory and enforces the connection. That's why we use paper, the way it interacts with the person.

Paper cards can always have all the info you want AND a QR code to allow for the digital transfer in a more universal way. That digital card isn't going to work with a laptop very likely. I have no idea how they work, as I've never had someone attempt to use one. If my phone is dead or not on me, it's useless. If my phone doesn't have your app, it's useless (I presume.) If I don't have the right kind of phone, I'm annoyed that you made me keep trying something you've not tested. Paper is universal and works.

Also, not me, but I know a lot of people who use paper cards as little note cards to write additional info on. Can't do that with the digital.

@notverypunny said in Tactical RMM:

Is there a general consensus with regards to the "appropriateness" of using Tactical in a production setting?

I don't know of any reason to question it. Most RMM I know you should be really scared of. Ninja, Kaseya, Barracuda, Connectwise... all I'd rule as totally out of the question to deploy on security grounds. Tactical is one of the few that can be short listed.

@notverypunny said in Tactical RMM:

but I was unaware of the whole monero issue https://www.reddit.com/r/msp/comments/rqm0go/a_statement_from_the_founder_of_tacticalrmm/

There is no issue. This is just BS stuff. It's not a thing, you weren't aware because it's not a real issue.

@travisdh1 said in Tactical RMM:

@notverypunny said in Tactical RMM:

Is there a general consensus with regards to the "appropriateness" of using Tactical in a production setting? I've setup a quick install to test and evaluate but I was unaware of the whole monero issue https://www.reddit.com/r/msp/comments/rqm0go/a_statement_from_the_founder_of_tacticalrmm/

Given the increasing costs of everything we're being asked for possible ways to cut opex but wouldn't want to put my head on the chopping block in the event that things go south.

There was no monero issue, unless someone screwed up by the numbers.

What other RMM are you able to audit the code for? All the closed source ones are generally even worse.

And I like that I can run it on my own system. Not worried about a vendor getting compromised through other clients or whatever. I can lock TacticalRMM down however makes sense for me.

@Pete-S said in Production KVM server "hardening"?:

Thanks! My intention was to put the management network behind a VPN - with MFA for human access.

We go farther and don't enable SSH. We use reach out, rather than reach in. It's more secure, extremely hard to attack.

@Pete-S said in Production KVM server "hardening"?:

VPN is used to get access to the private network. Servers are not accessible from internet.

This is the part that is weird. Like.... if we look at it from the outside, it's the same...

Step One: Access exposed port
Step Two: Access server

That behind the scenes it's a private network is irrelevant to someone attempting to access it. In both cases it's a published port that is heavily locked down with encryption and MFA. If you want, you can call the SSL layer of SSH a VPN (it literally is, in every sense) and you can call the inside of that tunnel a private network (it is in any meaningful sense) and voila, the two thigns are the same other than the double encryption which isn't "bad" but isn't beneficial either (typically.)

A bit of pain, no gain. But putting on my security auditor's hat.... it's a bit of "making people annoyed at pointless security" which is, itself, a huge security hole that creates risk. When you make security too onerous, and especially if there is no security justification for it, you typically create both a business need and an emotional desire to circumvent the security.

@Fredtx said in Does block level sync exist?:

My concerns is if this was a major disaster recovery situation such as the building catching on fire, we would be dead in the water. Especially if those files/folders were sensitive data.

If data integrity matters, block level is definitely not where you should be. You need application level awareness. That's a fundamental of backups (see my book on the subject, lolololol, no but seriously, I cover this in the book.)

@Pete-S said in Production KVM server "hardening"?:

My primary concern right now is if there are any special configuration needed to run pure minimal linux KVM virtualization hosts in production in a responsible manner.

Nothing too specific. Very much just general Linux hardening which is just general systems hardening.

@Fredtx said in Does block level sync exist?:

@scottalanmiller said in Does block level sync exist?:

@Fredtx said in Does block level sync exist?:

Block level synchronization would not be possible here as the data is compressed on the receiver but not the sender and the appliances are receiving data from different senders; the blocks would not look the same."

That would cause some amount of problem, yes. If they were compressing in the right place, though, it would not. This is a design flaw, not a data integrity flaw.

Here's an article on how their replication works. How offsite replication works barracuda backup

It says:
"When data is transferred offsite, it is further deduplicated by checking to see if the file part already exists on the offsite replication destination. If the part does not exist, the part is compressed, encrypted using 256-bit AES encryption, and transferred to the replication destination. If the part already exists on the offsite replication destination, the part is simply dropped and not transferred offsite."

From what I see. The backup (vm and agent level) of the servers to the Barracuda appliance (local server linux box) is application aware, but the offsite replication is not.

Dedupe, not compression, would be pretty simple to test if files are the same. Sounds like they are just lazy.

FYI: I'd never use barracuda stuff. These are the guys who had a fully open back door in their FIREWALLS open to the public. They are definitely a vendor I would never consider for anything critical. Email filtering, I suppose. But why do you have them for backups?

I do backups for financial systems, for example. And we always explain "well, we can quiesce the database and ensure that database is not corrupt, but we can never know if the database has been given quiesced application data because only the developers can tell us that".... and 99% of the time, the devs don't even know themselves and never accounted for needing to make the application safe to back up at all!

When I have my application developer hat on, we make our applications to have their own backup tools, because it's literally the only safe way to know you are getting good backups of a live system. The only. Full stop. If our customers were to buy backup software, it would be so goofy... because it would be extra effort to be less safe.

@Fredtx said in Does block level sync exist?:

I'm trying to get our divisions backup process in order, and looking at how everything is done, and why is it being done like the way it is, and if it's even working like it's supposed to.

Honestly, if your PARENT company doesn't understand backups, just get them to sign off that doing what they do is good enough and don't make this your problem. If you want to get into backup theory and how to truly protect data it will...

1. Never, ever be something that people doing this crap will understand.
2. Make them look like idiots for taking something so critical and ignoring the obvious problems with it (not even talking about the one you found.)
3. Put you in the line of fire for making managers look bad for not knowing the basics.

There's no upside to you.

@Fredtx said in Does block level sync exist?:

Barracuda backup is application aware for things like SQL and AD. Which takes a copy of the files, and puts it on the backup appliance (linux server)

Right, which is just a fancy way of saying it uses VSS. Everything does that, that's not considered application aware, because absolutely everything has that level of awareness - the agent that has the awareness is part of the OS. Barracuda isn't aware of any third party applications, including those that run on top of MS SQL.

@Fredtx said in Does block level sync exist?:

@scottalanmiller said in Does block level sync exist?:

Right, which is just a fancy way of saying it uses VSS. Everything does that, that's not considered application aware, because absolutely everything has that level of awareness - the agent that has the awareness is part of the OS. Barracuda isn't aware of any third party applications, including those that run on top of MS SQL.

Yea, I'm aware it uses VSS. I thought that's what you were referring to when talking about application awareness. But looks like you are referring to something else that I have a lack of knowledge or understanding on.

VSS is application aware, just one only one or two applications that we rarely care very much about. It's not aware of YOUR applications, but it knows about SOME applications. In a world of hundreds of thousands of applications, it probably knows a few dozen and that's about it. Nearly all are MS applications like AD and Exchange. That's about it.

In all these years, I've never once run into any application outside of the stock MS apps that any vendor took the effort to be application aware of natively out of the box for a general purpose backup software. It's just impossible to address everyone (let alone anyone's) needs, so there's no point in pretending.

@Fredtx said in Does block level sync exist?:

This design is "supposed" to adhere to the Backup 3-2-1 rule, but I guess technically it does not since the barracuda appliance (where local backup copies of servers resides) is replicating to another appliance at the block level. It's only hoping all the data is copied to the offsite storage.

If it was replicating for real, it could be verified with checksums. Everyone else that does this can do that.

@garak0410 said in Camera Server Can't Ping Network Device:

Any suggestions on what the cause could be?

Is the subnet set correctly on each device?

@Fredtx said in Does block level sync exist?:

@scottalanmiller Let me clarify. I want to make sure the "good" backups are copied to the offsite storage. So if the building were to catch on fire or something, and the good copies are destroyed. I would want to be able to restore from the offsite storage. In my case, some of the data was missing from the offsite storage that should have been replicated from the local "good" backup. Not sure what happened, and why it was not copied over, but it did not. I figured there would be some kind of sync mechanism that would have caught that ahead of time, which Barracuda said there is no such sync. That is why I reached out to the community.

We understand. And that's important because clearly your sync failed. It's just that it also exposed the fact that the original backups are not application aware (unless there is no application) so something that you should see as a very, very large issue. If you are responsible for the backups, that is. Otherwise, not your monkeys, not your circus.

@openit said in SUSE Manager for managing CentOS and SUSE servers.:

I believe SUSE Manager kind product I'm looking, especially for patching CentOS and SUSE servers.

Patching isn't something you need much for. That's the most basic of tooling and pretty universal. What kind of product are you looking for?

They are rarely important. The only major use of them is as one additional layer of spam protection, but a VERY minor one.

Where you see them used a lot is things like a traceroute. That's what allows you to identify the hops along the route.

@pmoncho said in POTS line replacement:

Our POTS line pricing was bumped again and with a call to AT&T we found out that there as a "newish" service AT&T Phone for Business Advanced. This service is suppose to be the replacement for specialty analog lines like Security/Fire Systems, elevators and such. The cost with 3-5 lines is significantly cheaper than our current bill.

It POTS is a requirement, then obviously this isn't an option for you. If this is an option (to leave POTS), why not leave to a business class modern phone system?

First rule of phones: rule out your local infrastructure provider as a potential candidate. It's the one company it is never safe to use.